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DETAILED ACTION 



1. 



Claims 1-4, 6, 8-20, 23, 25, and 26 are pending. 



2. 



Response filed 10/28/2008 has been received and considered. 



Claim Rejections - 35 USC § 103 



3. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary sl<ill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 9-19, and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Squler et al. (US 7188181) in view of Sampson et al. (US 6339423). 

As per claims 9-13, 17, and 23, Squier et al. discloses inputting at a first system 
that grants session credentials based on successful authentication, a request from a 
client to access a protected resource on the first system, the protected resource on the 
first system being accessible by the client only after successful authentication of the 
client at the first system (see column 5 lines 54-63); determining at the first system that 
a client does not have a valid session credential granted by the first system (see column 
5 line 64 through column 6 line 4); retrieving, at the first system, information from a 
session token held by the client, the information being retrieved from the client, the 
information corresponding to a session credential for the second system, the second 
system grants session credentials based on successful authentication at the second 
system and includes protected resources on the second system that is accessible by 
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the client, the protected resource on the second system being accessible by the client 
only after successful authentication of the client at the second system (see column 6 
lines 4-15) the first system presenting at least some of the information from the session 
token to the second system; the first system inputting a determination from the second 
system that the client has a valid session credential with the second system; and the 
first system effecting successful authentication to the client so as to grant access to the 
protected resource on the first system, to the client based on the determination from the 
second system that the client has a valid session credential with the second system 
(see column 6 line 41 through column 7 line 5 see also figure 2) the first system 
inputting information from the second system and in response the first system outputting 
to the second system a determination that the first system has a valid session credential 
for the client at the first system; and the second system effecting successful 
authentication so as to grant access to the further protected resource on the second 
system to the client based on the determination from the first system that the client has 
a valid session credential with the first system (see column 6 lines 41-56 and column 8 
lines 29-63 and column 9 lines 2-4). 

Squier et al. discloses that the request and session information are sent at the 
same time (see column 5 lines 54-63), therefore fails to disclose the session information 
is retrieved from the client after determining that the client does not have valid session 
credentials. 

However, Sampson et al. teaches sending a request to a server and the server 
determining that the client doesn't have valid session credentials and requesting a 
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session tol<en from tlie client (see column 3 lines 34-43 where the data transmitted to 
the browser to go to the first server is a request to get a session token, i.e. cookies). 

At the time of the invention it would have been obvious to a person of ordinary 
skill in the art to request the client of Squier et al. to send a session token when it is 
determined that the client doesn't have valid session credentials. 

Motivation to do so would have been to allow a user to obtain credentials to 
access a server when the user did not originally have the credentials (see Sampson et 
al. column 3 lines 34-43). 

As per claim 14, the modified Squier et al. and Sampson et al. system discloses 
granting a session credential to the client by the first system, after determining that the 
client has a valid session credential granted by the second system (see Squier et al. 
column 6 lines 57-62). 

As per claim 15, the modified Squier et al. and Sampson et al. system discloses 
maintaining the client session credential granted by the second system (see Squier et 
al. column 6 lies 57-64). 

As per claims 16 and 19, the modified Squier et al. and Sampson et al. system 
discloses associating session credentials for the first system and the second system 
with the client (see Squier et al. column 6 lines 57-64). 

As per claim 18, the modified Squier et al. and Sampson et al. system discloses 
granting the client session credentials for the first system (see Squier et al. column 6 
lines 57-64). 
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5. Claims 1-4, 6, 8 and 20 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified Squier et al. and Sampson et al. system in view of 
Howard et al. (US 6584505). 

As per claims 1 and 20, the modified Squier et al. and Sampson et al. system 
discloses inputting at a first system that grants session credentials based on successful 
authentication, a request from a client to access a protected resource on the first 
system, the protected resource on the first system being accessible by the client only 
after successful authentication of the client at the first system (see Squier et al. column 

5 lines 54-63); determining at the first system that a client does not have a valid session 
credential granted by the first system (see Squier et al. column 5 line 64 through column 

6 line 4 and Sampson et al. column 3 lines 34-43); after the determining retrieving, at 
the first system, information from a session token held by the client, the information 
being retrieved from the client, the information corresponding to a session credential for 
the second system, the second system grants session credentials based on successful 
authentication at the second system and includes protected resources on the second 
system that is accessible by the client, the protected resource on the second system 
being accessible by the client only after successful authentication of the client at the 
second system (see Squier et al. column 6 lines 4-15 and Sampson et al. column 3 
lines 34-43) the first system presenting at least some of the information from the 
session token to the second system; the first system inputting a determination from the 
second system that the client has a valid session credential with the second system; 
and the first system effecting successful authentication to the client so as to grant 
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access to the protected resource on the first system, to the client based on the 
determination from the second system that the client has a valid session credential with 
the second system (see Squier et al. column 6 line 41 through column 7 line 5 see also 
figure 2). 

The modified Squier et al. and Sampson et al. system fails to discloses directing 
the client to the first system to establish a session credential based on successful 
authentication at the first system, after determining that the client does not have a valid 
session credential granted by the second system. 

However, Howard et al. teaches such redirection (see column 6 lines 51-52 and 
column 8 lines 54-57). 

At the time of the invention it would have been obvious to a person of ordinary 
skill in the art to redirect the client to a different server upon failed authentication. 

Motivation to do so would have been to allow the user to authenticate to a known 
server (see Howard et al. column 7 lines 52-65). 

As per claim 2, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses granting a session credential to the client by the first system, after 
determining that the client has a valid session credential granted by the second system 
(see Squier et al. column 6 lines 57-62). 

As per claim 3, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses sending a session token to the client, the token corresponding to a 
session credential granted by the first system (see Squier et al. column 6 lines 57-62). 



Application/Control Number: 10/026,403 Page 7 

Art Unit: 2437 

As per claim 4, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses a method comprising directing the client to the second system to 
establish a session credential based on successful authentication at the second system, 
after determining that the client does not have a valid session credential granted by the 
second system (see Squier et al. column 6 lines 30-40). 

As per claim 6, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses maintaining the client session credential granted by the second 
system (see Squier et al. column 6 lies 57-64). 

As per claim 8, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses retrieving information from the session token held by the client 
comprises: sending a query to the client from the first system, the query including 
identification as originating from a domain name corresponding to the second system; 
and receiving a response to the query (see Howard column 8, lines 8-11). 
6. Claims 25 and 26 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over the modified Squier et al. and Sampson et al. system as applied to claim 23 above, 
and further in view of Marks et al. (US 20010054059). 

As per claims 25 and 26 the modified Squier et al. and Sampson et al. system 
fails to disclose that the protected resource is pay-per-use or subscription content. 

However, Marks et al. teaches content of this type (see paragraph [0028]). 

At the time of the invention it would have been obvious to a person of ordinary 
skill in the art to protect pay-per-use and subscription content using the modified Squier 
et al. and Sampson et al. system. 
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Motivation to do so would have been that this type of content costs money and 
protecting them prevents free use of the content. 

Response to Arguments 

7. Applicant's arguments filed 10/28/2008 have been fully considered but they are 
not persuasive. Applicant argues that the motivation to combine Sampson with Squire is 
insufficient; such a modification would change the principle operation of Squire and the 
remaining references fail to cure this deficiency. 

With respect to Applicant's argument that the motivation to combine Sampson 
with Squire is insufficient and such a modification would change the principle operation 
of Squire, the Squire system requires a user to send a request for a service with a 
session identifier thereby requiring that a user already have the session identifier (i.e. 
credentials). On the other hand Sampson allows a user to request a service without 
any credentials (i.e. session identifier or cookie) and when the first server determines 
that the request does not have any credentials for the first server it obtains credentials, 
from the client, which are from a different server to allow the user to access the first 
server. This provides the added benefit that the client can obtain credentials to access 
a server when the user did not originally have the credentials (as stated for motivation to 
combine). In other words this provides that a user does not have to permanently store 
the credentials because the user can retrieve them from the other server and only hold 
them long enough to send them to the first server. Furthermore, both Squire and 
Sampson teach methods of requesting a service from a server using session 
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information from a different server and it would be obvious to replace Squires' method 
of sending the session information together with the request with Sampson's method of 
sending the request separately from the session information because it would provide 
the predictable result of authenticating a user at a first server using session information 
from a second server. Additionally, it is clear that Squire and Sampson relate to similar 
methods with Sampson performing a step of Squire in multiple steps that would not 
change the principle operation of Squire. 

Applicant's argument that the remaining references fail to cure the above 
mentioned deficiency is moot in view of the above response. 

Conclusion 

8. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning tliis communication or earlier communications from the 
examiner should be directed to MICHAEL PYZOCHA whose telephone number is 
(571)272-3875. The examiner can normally be reached on Monday-Thursday, 7:00am - 
4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571 ) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/M. P./ 

Examiner, Art Unit 2437 
/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



